[kay.sievers at vrfy.org]

Daniel J Walsh dwalsh at redhat.com
Tue Feb 7 14:55:17 UTC 2006 

Kay Sievers wrote:
> On Mon, Feb 06, 2006 at 01:35:35PM -0500, Stephen Smalley wrote:
>   
>> On Mon, 2006-02-06 at 13:15 -0500, Daniel J Walsh wrote:
>>     
>>> How about if we changed the call to
>>>         if ( mode & S_IFBLK ) {
>>>             media = get_media(devname, mode);
>>>             if (media) {
>>>                 ret = matchmediacon(media, &scontext);
>>>                 free(media);
>>>             }
>>>         }
>>>       
>> You already have a test of (mode & S_IFBLK) on entry to get_media, so I
>> don't see what that buys you.  Still limited to ide devices by get_media
>> only checking /proc/ide.  I don't think her concern with the media
>> support was performance, just generality and use of sysfs.  Performance
>> concern was with selinux_init.
>>
>> On the performance overhead issue, only real improvement would be to
>> move all matchpathcon_init+matchpathcon processing into the daemon and
>> have the daemon pass the required contexts to the event commands on the
>> command line or via pipe.  
>>     
>
> The udev event processes, the ones that actually create the device node
> are just clones of the main daemon, they run the same code, the same
> memory as the main daemon, they don't exec() anything. So everything that
> is available in the main daemon before the event process is forked, will
> also be available in the event process itself while it is creating the
> node.
>
> That's the reason I was asking, cause it sounds like the current selinux
> integration could be optimized. Seems there is no need for any pipe or other
> ipc, if selinux is fine with the inherited state from the daemon.
>
> Thanks,
> Kay
>   
Yes I think it would should work fine.

I think a patch like the following should also be added to udev_selinux.


-               media = get_media(devname, mode);
-               if (media) {
-                       ret = matchmediacon(media, &scontext);
-                       free(media);
+               if ( mode & S_IFBLK ) {
+                       media = get_media(devname, mode);
+                       if (media) {
+                               ret = matchmediacon(media, &scontext);
+                               free(media);
+                       }
                }

More information about the fedora-selinux-list mailing list